GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-08-20 04:27:39 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0001 465,76GB Running: gmer.exe; Driver: C:\Users\piotr\AppData\Local\Temp\kgloapow.sys ---- System - GMER 2.1 ---- INT 0x51 ? 87519CB8 INT 0x62 ? 87519CB8 INT 0x82 ? 87519CB8 INT 0x92 ? 85225CB8 INT 0x92 ? 87519CB8 INT 0x92 ? 87519CB8 INT 0x92 ? 87519CB8 INT 0x92 ? 85225CB8 INT 0xA2 ? 87519CB8 ---- Kernel code sections - GMER 2.1 ---- .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x8AB03774] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90010000, 0x258606, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[4948] ntdll.dll!LdrLoadDll 77689378 5 Bytes JMP 74261F4C C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4948] ntdll.dll!NtCreateFile 776C4264 5 Bytes JMP 5B4F3D20 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4948] ntdll.dll!NtFlushBuffersFile 776C4764 5 Bytes JMP 5B4DC661 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4948] ntdll.dll!NtQueryFullAttributesFile 776C4C94 5 Bytes JMP 5B4F3820 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4948] ntdll.dll!NtReadFile 776C4EC4 5 Bytes JMP 5B4DC750 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4948] ntdll.dll!NtReadFileScatter 776C4ED4 5 Bytes JMP 5BD7E1FF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4948] ntdll.dll!NtWriteFile 776C54D4 5 Bytes JMP 5B4F43D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4948] ntdll.dll!NtWriteFileGather 776C54E4 5 Bytes JMP 5BD7E1AE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4948] kernel32.dll!HeapSetInformation + 26 763CA9B8 7 Bytes JMP 5B4F06F3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4948] kernel32.dll!LockResource + C 763E6BD3 7 Bytes JMP 5BD1F55F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4948] kernel32.dll!VirtualAllocEx + 54 763EB030 7 Bytes JMP 5BD1F582 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4948] USER32.dll!GetWindowInfo 777C428E 5 Bytes JMP 5BC2E5A9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4948] GDI32.dll!SetStretchBltMode + 256 768F745C 7 Bytes JMP 5BD1F4E0 C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74707817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7474B4F1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7470BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [746FF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [747075E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [746FE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [747373F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7470DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [746FFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [746FFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [746F71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7478CB12] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7472C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [746FD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [746F6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [746F687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[3660] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74702AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 852261F8 Device \FileSystem\udfs \UdfsCdRom 875181F8 Device \FileSystem\udfs \UdfsDisk 875181F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 VMkbd.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 VMkbd.sys Device \Driver\usbuhci \Device\USBPDO-0 875331F8 Device \Driver\usbuhci \Device\USBPDO-0 hcmon.sys Device \Driver\usbuhci \Device\USBPDO-1 875331F8 Device \Driver\usbuhci \Device\USBPDO-1 hcmon.sys Device \Driver\usbuhci \Device\USBPDO-2 875331F8 Device \Driver\usbuhci \Device\USBPDO-2 hcmon.sys Device \Driver\usbehci \Device\USBPDO-3 8752B1F8 Device \Driver\usbehci \Device\USBPDO-3 hcmon.sys Device \Driver\usbuhci \Device\USBPDO-4 875331F8 Device \Driver\usbuhci \Device\USBPDO-4 hcmon.sys AttachedDevice \Driver\tdx \Device\Tcp Lbd.sys Device \Driver\usbuhci \Device\USBPDO-5 875331F8 Device \Driver\usbuhci \Device\USBPDO-5 hcmon.sys Device \Driver\usbuhci \Device\USBPDO-6 875331F8 Device \Driver\usbuhci \Device\USBPDO-6 hcmon.sys Device \Driver\usbehci \Device\USBPDO-7 8752B1F8 Device \Driver\usbehci \Device\USBPDO-7 hcmon.sys Device \Driver\cdrom \Device\CdRom0 875AA1F8 Device \Driver\usbhub \Device\USBPDO-8 hcmon.sys Device \Driver\iaStor \Device\Ide\iaStor0 [8B2120B0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8B2120B0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [8B2120B0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\usbhub \Device\00000073 hcmon.sys Device \Driver\usbhub \Device\00000074 hcmon.sys Device \Driver\usbhub \Device\00000075 hcmon.sys Device \Driver\usbhub \Device\00000076 hcmon.sys Device \Driver\netbt \Device\NetBt_Wins_Export 89BA41F8 Device \Driver\usbhub \Device\00000077 hcmon.sys Device \Driver\usbhub \Device\00000078 hcmon.sys Device \Driver\Smb \Device\NetbiosSmb 89B841F8 Device \Driver\usbhub \Device\00000079 hcmon.sys Device \Driver\netbt \Device\NetBT_Tcpip_{9C86976D-1128-497B-ABD0-088133C397FB} 89BA41F8 Device \Driver\iScsiPrt \Device\RaidPort0 8768D1F8 Device \Driver\usbuhci \Device\USBFDO-0 875331F8 Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys Device \Driver\usbuhci \Device\USBFDO-1 875331F8 Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys Device \Driver\usbhub \Device\0000007a hcmon.sys Device \Driver\usbuhci \Device\USBFDO-2 875331F8 Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys Device \Driver\usbehci \Device\USBFDO-3 8752B1F8 Device \Driver\usbehci \Device\USBFDO-3 hcmon.sys Device \Driver\netbt \Device\NetBT_Tcpip_{1D6C6FB9-8F72-4A13-ABE8-6D2E5D438791} 89BA41F8 Device \Driver\usbuhci \Device\USBFDO-4 875331F8 Device \Driver\usbuhci \Device\USBFDO-4 hcmon.sys Device \Driver\usbuhci \Device\USBFDO-5 875331F8 Device \Driver\usbuhci \Device\USBFDO-5 hcmon.sys Device \Driver\usbuhci \Device\USBFDO-6 875331F8 Device \Driver\usbuhci \Device\USBFDO-6 hcmon.sys Device \Driver\usbehci \Device\USBFDO-7 8752B1F8 Device \Driver\usbehci \Device\USBFDO-7 hcmon.sys ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{00D84268-0BE2-92B0-51B5-C88A0B166F98} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{00D84268-0BE2-92B0-51B5-C88A0B166F98}@jankhaahokjpplompmjc 0x64 0x61 0x69 0x6E ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{00D84268-0BE2-92B0-51B5-C88A0B166F98}@jankhacgbiiemnpmhfmp 0x68 0x62 0x6F 0x6E ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FA0EACC3-27AD-DE51-189B-26D19B676474} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FA0EACC3-27AD-DE51-189B-26D19B676474}@nacmomccfjnehmifafekfldceajg 0x69 0x61 0x6E 0x61 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----